From: Junio C Hamano <gitster@pobox.com> To: git@vger.kernel.org Cc: Linux Kernel <linux-kernel@vger.kernel.org> Subject: [ANNOUNCE] Git v2.13.6 and others Date: Tue, 26 Sep 2017 15:09:00 +0900 Message-ID: <xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com> (raw) Maintenance releases Git v2.10.5, v2.11.4, v2.12.5 and v2.13.6 are now available at the usual places. These are solely about hardening "git shell" that is used on servers against an unsafe user input, which "git cvsserver" copes with poorly. A copy of the release notes for v2.10.5 is attached at the end of the message, but the notes for other releases listed above essentially say the same thing. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of the 'v2.10.5', 'v2.11.4', 'v2.12.5' and 'v2.13.6' tags and some of them have the 'maint-2.10', 'maint-2.11', 'maint-2.12' and 'maint-2.13' branches that the tags point at: url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = https://github.com/gitster/git Note that the committed version of the release notes for these versions all incorrectly mention "git daemon", where they should have said "git shell". It has been corrected in the attached copy, but because the release engineering was done several days in advance and the tags have already been shared with binary packagers and others at the git-security@googlegroups.com mailing list, these release tarballs are issued _with_ the known typo to avoid confusion of having two release tags with different contents. Sorry about that. ---------------------------------------------------------------- Git v2.10.5 Release Notes ========================= Fixes since v2.10.4 ------------------- * "git cvsserver" no longer is invoked by "git shell" by default, as it is old and largely unmaintained. * Various Perl scripts did not use safe_pipe_capture() instead of backticks, leaving them susceptible to end-user input. They have been corrected. Credits go to joernchen <joernchen@phenoelit.de> for finding the unsafe constructs in "git cvsserver", and to Jeff King at GitHub for finding and fixing instances of the same issue in other scripts. ---------------------------------------------------------------- Changes since v2.10.4 are as follows: Jeff King (3): shell: drop git-cvsserver support by default archimport: use safe_pipe_capture for user input cvsimport: shell-quote variable used in backticks Junio C Hamano (3): cvsserver: move safe_pipe_capture() to the main package cvsserver: use safe_pipe_capture for `constant commands` as well Git 2.10.5 joernchen (1): cvsserver: use safe_pipe_capture instead of backticks
reply other threads:[~2017-09-26 6:09 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: http://vger.kernel.org/majordomo-info.html * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com \ --to=gitster@pobox.com \ --cc=git@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
git@vger.kernel.org list mirror (unofficial, one of many) This inbox may be cloned and mirrored by anyone: git clone --mirror https://public-inbox.org/git git clone --mirror http://ou63pmih66umazou.onion/git git clone --mirror http://czquwvybam4bgbro.onion/git git clone --mirror http://hjrcffqmbrq6wope.onion/git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V1 git git/ https://public-inbox.org/git \ git@vger.kernel.org public-inbox-index git Example config snippet for mirrors. Newsgroups are available over NNTP: nntp://news.public-inbox.org/inbox.comp.version-control.git nntp://ou63pmih66umazou.onion/inbox.comp.version-control.git nntp://czquwvybam4bgbro.onion/inbox.comp.version-control.git nntp://hjrcffqmbrq6wope.onion/inbox.comp.version-control.git nntp://news.gmane.io/gmane.comp.version-control.git note: .onion URLs require Tor: https://www.torproject.org/ code repositories for the project(s) associated with this inbox: https://80x24.org/mirrors/git.git AGPL code for this site: git clone https://public-inbox.org/public-inbox.git